diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
| commit | d3760be01b120df8980c056ecc85a4229d660264 (patch) | |
| tree | ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-mdns.c | |
| parent | 519d39deeeec7121649f28e7287b7790e50d2979 (diff) | |
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.
This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
Diffstat (limited to 'src/resolve/resolved-mdns.c')
| -rw-r--r-- | src/resolve/resolved-mdns.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c index db23bc9d42..7c1012f4ea 100644 --- a/src/resolve/resolved-mdns.c +++ b/src/resolve/resolved-mdns.c @@ -122,7 +122,7 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us dns_transaction_process_reply(t, p); } - dns_cache_put(&scope->cache, NULL, DNS_PACKET_RCODE(p), p->answer, false, 0, p->family, &p->sender); + dns_cache_put(&scope->cache, NULL, DNS_PACKET_RCODE(p), p->answer, false, (uint32_t) -1, 0, p->family, &p->sender); } else if (dns_packet_validate_query(p) > 0) { log_debug("Got mDNS query packet for id %u", DNS_PACKET_ID(p)); |